On building your skillset

Right now I've been reading The Hacker Playbook 3.

I've had it for a while, but I always only read bits and pieces. I started reading it again, and there's some good stuff. Where the THP2 is more focused on pentesting skills, THP3 is more about the Red Team. It focuses more strongly on avoiding detection and emulating real-world threat actors.

It's great to learn, but sometimes it can be a bit overwhelming to look around at all there is to pick up and feel like you've only scratched the surface.

Additionally, I've continued my Python learning journey. I'm still a n00b, but things are slowly becoming easier to do. I hope that trend continues.

Of course, we've all read about the log4j thing, and probably much more about it than I can even offer. Still,  it was cool to read up on and I actually got to work on a check recently. It was pretty basic, and only tested web servers, but it was still kind of cool to have the opportunity to work on something different.

I once had a manager at a security company that did pentesting tell me something, and I can see what he meant.

You have to think of your skills and abilities as a toolbox. You have this big toolbox that maybe starts empty or with very little in it.

You pick up a tool, you put it in the toolbox. You pick up another, you put that in the toolbox. Eventually, a year later, you have a whole bunch of new tools (skills), and you are better at using them. For instance, when I started learning about tunneling or XSS.  I didn't know what either were. They seemed ridiculously hard to figure out. Like, they made no sense at first. I kept at it. I went through the labs, I started trying things that were increasingly complex. Eventually, I became good enough to know how to use them in real-world applications. I've used SSH tunnels and port forwarding in real-life applications just as well as I've found XSS in real-life web applications and websites. Multiple times. Dang. Feels good now that I think about it.